[Pkg-openldap-devel] Bug#512785: Bug#512785: slapd: syncrepl client fails TLS unless server also has TLS

Rob Sims debbugs-z at robsims.com
Fri Jan 23 22:27:22 UTC 2009 

Thanks for the prompt response.

On Fri, Jan 23, 2009 at 11:52:42AM -0800, Quanah Gibson-Mount wrote:
> --On Friday, January 23, 2009 10:49 AM -0700 Rob Sims  
>> The problem goes away if I set server side parameters
>> TLSCACertificateFile, TLSCertificateFile, and TLSCertificateKeyFile to
>> valid values (I didn't try any smaller sets).

> tls_cacert is, as is stated in the docs, an override, not an  
> initialization. I.e., for it to work, there must be a default server  
> configuration first.  There is no bug here.

I think it's reasonable to not have to generate a certificate/key pair
(and possibly a CA certificate if you're cloning a database you don't
own) that are unused because the server side doesn't offer TLS.  

The application in this case is an intermittently connected device,
where full-time access to data is desired.  The device itself serves no
networked clients.

I'm perfectly happy calling this a feature request, and assigning low
priority, as there is a rational workaround, but please leave this
report in a visible state until the syncrepl client can use TLS
independent of server TLS usage, or an appropriate error message is
generated.

>> From slapd.conf(5):

> The tls_reqcert setting  defaults to  "demand"  and  the other TLS 
> settings default to the same as the main slapd TLS settings.

> This definitely could be clearer as to what it means, I'll follow up  
> upstream.

The docs in general need more detail on TLS setup especially due to
the usage of GnuTLS; most online information covers openssl.  In
particular, I'd suggest:
  - noting a good set of ownership and permissions for key and cert
    files; that the files are read after process ownership changes, and
    not before.

  - tls_cacertdir should note "is not supported when using GNUtls." like
    the TLSCACertificatePath does

  - if the only immediate fix is to be documentation:
    "TLS usage by any module such as syncrepl requires that the local
    server also be configured to serve TLS."

On the client pages:
  - "<client> will use a configuration file as described in ldap.conf(5)";
    normally I'd suggest including the actual loading rules, but they're
    a bit extensive to repeat everywhere.  The "See Also" reference is
    insufficient as the conf file is an integral part of operation of
    the tool.

  - Note that the ldap.conf file has a richer set of options than the
    command line

  - That you must have a conf file to use the clients with TLS, as
    there isn't a command line option for either the TLS_CACERT or
    TLS_REQCERT options.

  - That the default is to fail ldaps: queries if the server certificate
    is valid but unverifiable; this is notable because the default
    behavior of many other apps is to query the user in this case.

-- 
Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20090123/986e453f/attachment.pgp

More information about the Pkg-openldap-devel mailing list